Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Enumerating the current user's privileges (GetTokenInformation API)

349 views
Skip to first unread message

Schmidtmayer Marc

unread,
Dec 22, 2004, 7:33:15 AM12/22/04
to
Hi all,

I need to list all the privileges (and if they are enabled/disabled)
for a specific user.
I checked MSDN but I don't manage to make it work.
Can anyone help me out please ?
Maybe someone has an example (VB, C++, …) ?

Thanks,
Marc.

Chris Geier

unread,
Dec 23, 2004, 10:53:02 AM12/23/04
to
When you say list all the privileges for a user, do you mean on the file
system or from a system/GPO perspective such as create page file, access this
computer from the network etc. There are lots of utilites out there that do
this such as Xcalcs, NTrights, accessenum etc. The resource kit has some
good ones, as does sysinternals. and sysinternals will also provide the
source code

marc.sch...@gb.be

unread,
Dec 24, 2004, 2:48:21 AM12/24/04
to
> > Maybe someone has an example (VB, C++, ...) ?
> >
> > Thanks,
> > Marc.
> >

marc.sch...@gb.be

unread,
Dec 24, 2004, 2:49:22 AM12/24/04
to

Well, I've written an application which mabnages users and uses an OCX
to set rights on folders and shares.
But I've a problem : all works fine when it runs under the context of
user 's_admin' (which is an administrator with all possible rights) but
not under the which is deticated/created for doing this.
I get the following error : "A required privilege is not held by the
client".
I looked at the problem here with the sysadmin but we can't find the
problem.
That's why I like to list the priviliges at runtime for both users.
That way, I hope to see which privilege causes the problem ...
Thanks !
Marc.

Ivan Brugiolo [MSFT]

unread,
Dec 24, 2004, 1:58:17 PM12/24/04
to
Once you have a Token to an security principal,
you can use GetTokenInformation(TokenPrivileges) to check which pirivileges
are present in the Token and which ones are enabled.

As far as debugging your problem goes,
you should narrow down the API that fails with Privilege-Not-Held.
Then, the documentation of that API should tell which privilege is required
to carry on the task.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


<marc.sch...@gb.be> wrote in message
news:1103874562.0...@z14g2000cwz.googlegroups.com...

Malpani@discussions.microsoft.com Raghu Malpani

unread,
Dec 29, 2004, 8:35:22 PM12/29/04
to
Check out LsaEnumeratePrivilegesOfAccount in MSDN to do this
programmatically. Alternatively, you can use secpol.msc to see what
privileges are assigned to specific users.

Joe Richards [MVP]

unread,
Jun 18, 2006, 9:37:23 AM6/18/06
to
It general you will find more folks will help out if you post the
briefest snippet of code you have that demonstrates the issue you are
having with it.

Also make sure you check the platform SDK (offline and online) for code
examples.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Grzegorz Wróbel

unread,
Jun 19, 2006, 3:25:31 AM6/19/06
to
1. He doesn't have any code snippet to show, he asked for it.
2. This thread has been started in 2004, where did you dig out the original message from?

Joe Richards [MVP] wrote:

--
677265676F727940346E6575726F6E732E636F6D

Frank Saunders, MS-MVP OE

unread,
Jun 19, 2006, 7:45:29 AM6/19/06
to
"Grzegorz Wróbel" </dev/nu...@localhost.localdomain> wrote in message
news:e75iot$1lg$1...@nemesis.news.tpi.pl...

> 1. He doesn't have any code snippet to show, he asked for it.
> 2. This thread has been started in 2004, where did you dig out the
> original message from?


Marc's post is dated 2006 and does not have a references header.
So he just happened to use a title someone used in 2004. So what?

--
Frank Saunders, MS-MVP OE/WM
Reply in newsgroup
"They who would give up an essential liberty for temporary security, deserve
neither liberty or security"


Grzegorz Wróbel

unread,
Jun 19, 2006, 8:50:49 AM6/19/06
to
Frank Saunders, MS-MVP OE wrote:

> "Grzegorz Wróbel" </dev/nu...@localhost.localdomain> wrote in message
> news:e75iot$1lg$1...@nemesis.news.tpi.pl...
>
>> 1. He doesn't have any code snippet to show, he asked for it.
>> 2. This thread has been started in 2004, where did you dig out the
>> original message from?
>
>
>
> Marc's post is dated 2006 and does not have a references header.
> So he just happened to use a title someone used in 2004. So what?
>

I haven't found Marc's post on my newsserver at all, only your reply. Searching the google groups I found it with the date of december 2004 and it has exactly the same body as the one you have quoted. Also, according to google, he got 5 replies in 2004. Your reply is the 6th one and is the first one dated 2006.

http://groups.google.com/group/microsoft.public.platformsdk.security/browse_thread/thread/7b8e5644c72b4206/64e40be2be63996d?lnk=st&q=Enumerating+the+current+user's+privileges+(GetTokenInformation+++API)&rnum=1&hl=en

--
677265676F727940346E6575726F6E732E636F6D

Grzegorz Wróbel

unread,
Jun 19, 2006, 8:58:22 AM6/19/06
to
I'm sorry Frank, where I reffered to you in my last post I meant Joe of course.
--
677265676F727940346E6575726F6E732E636F6D

Grzegorz Wróbel

unread,
Jun 19, 2006, 9:32:44 AM6/19/06
to
Pasted from Google

>Well, I've written an application which mabnages users and uses an OCX
>to set rights on folders and shares.
>But I've a problem : all works fine when it runs under the context of
>user 's_admin' (which is an administrator with all possible rights) but
>not under the which is deticated/created for doing this.
>I get the following error : "A required privilege is not held by the
>client".
>I looked at the problem here with the sysadmin but we can't find the
>problem.
>That's why I like to list the priviliges at runtime for both users.
>That way, I hope to see which privilege causes the problem ...
>Thanks !
>Marc.

Anyway, in case it is still actual (I'm really not sure) I wrote similar procedure some time ago for debugging purposes:

It's ugly because it drawes messages directly to window DC (I was debugging winlogon screensaver!), but you can just replace wsprintf with printf and get rid of GDI function calls and variables:

void ShowPrivileges(HDC hDC)
{
OSVERSIONINFO osinfo;
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
TOKEN_PRIVILEGES* ptkp=NULL;
char mytext[256];
char name[256];
SIZE fontsize;
DWORD lenght;
int x = GetSystemMetrics(SM_CXFULLSCREEN);

osinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osinfo);
if(osinfo.dwPlatformId==VER_PLATFORM_WIN32_NT){
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)){
wsprintf(mytext,"OpenProcessToken() failed (error code = %d)",GetLastError());
GetTextExtentPoint32(hDC,mytext,strlen(mytext),&fontsize);
TextOut(hDC,600,150,mytext,strlen(mytext));
return;
}

GetTokenInformation(hToken,TokenPrivileges,ptkp,0,&lenght);
ptkp = (TOKEN_PRIVILEGES*) new char[lenght];
if(GetTokenInformation(hToken,TokenPrivileges,ptkp,lenght,&lenght)==0){
wsprintf(mytext,"GetTokenInformation() failed (error code = %d)",GetLastError());
GetTextExtentPoint32(hDC,mytext,strlen(mytext),&fontsize);
TextOut(hDC,x-250,4*fontsize.cy,mytext,strlen(mytext));
}
else{
for(int i=0;i<ptkp->PrivilegeCount;i++){
lenght=256;
LookupPrivilegeName(NULL,&(ptkp->Privileges[i].Luid),name,&lenght);
wsprintf(mytext,"%s = %u",name,ptkp->Privileges[i].Attributes);
GetTextExtentPoint32(hDC,mytext,strlen(mytext),&fontsize);
TextOut(hDC,x-250,4*fontsize.cy+i*fontsize.cy,mytext,strlen(mytext));
}
}
delete[] ptkp;
}
}

Each displayed privilege is held and depending on the value it is:
0 - privilege not enabled
2 - priviledge is enabled
3 - priviledge is enabled by default (1+2)

Also you can get rid of TOKEN_ADJUST_PRIVILEGES flag in call to OpenProcessToken() if you're not going to adjust any.

--
677265676F727940346E6575726F6E732E636F6D

Alexander Grigoriev

unread,
Jun 19, 2006, 10:43:27 AM6/19/06
to
It seems that some misconfigured NNTP server reposts really old threads.

"Frank Saunders, MS-MVP OE" <franks...@mvps.org> wrote in message
news:%23VB5mY5...@TK2MSFTNGP02.phx.gbl...

Joe Richards [MVP]

unread,
Jun 19, 2006, 1:48:18 PM6/19/06
to
It is on the Microsoft server which is about as authoritative as it gets
for the Microsoft newsgroups and shows a post date of 6/18/2005. There
were no responses listed.

Possibly I should scan every bit of the header and then google for every
post I intend to respond to to make sure that it isn't an old post that
has come back so as not to annoy you.

Hmm nah, I respond to thousands of post and don't care all that much if
you get annoyed. I will have to depend on you to keep your chin up if I
happen to respond to something that the server shows as new that
actually isn't.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Joe Richards [MVP]

unread,
Jun 19, 2006, 1:48:13 PM6/19/06
to
1. Yes he does, he wrote "checked MSDN but I don't manage to make it
work.". Obviously he has tried something. I am simply asking what did he
try and how did it fail. The failure could be in all sorts of areas,
some of which have nothing to do with the actual API call itself.
Posting a snippet that is condensed down to the issue point helps
illuminate the capability of the poster as well which can help ascertain
a problem.

2. It is listed on news.microsoft.com as brand new.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Grzegorz Wróbel

unread,
Jun 19, 2006, 3:09:25 PM6/19/06
to
I'm not reading this on microsoft newsgroup, nor I get annoyed seeing your reply after 1.5 year. Surprised maybe.

--
677265676F727940346E6575726F6E732E636F6D

Bob O`Bob

unread,
Jun 19, 2006, 3:17:45 PM6/19/06
to
Joe Richards [MVP] wrote:
> It is on the Microsoft server which is about as authoritative as it gets
> for the Microsoft newsgroups and shows a post date of 6/18/2005. There
> were no responses listed.

some dumb software, apparently on NNTP-Posting-Host: 86.20.171.138
has been copying a few ancient threads back to msnews recently.
Recently, in this case, being Date: Sun, 18 Jun 2006 04:05:22 GMT

interestingly, it also inserts this unusual header:
X-Received-Date: Wed, 22 Dec 2004 12:33:04 GMT (newsbetxt1-gui.ntli.net)


I can't figure out where you got that *2005* date, but I guess it really doesn't matter.


Bob
--

Joe Richards [MVP]

unread,
Jun 19, 2006, 4:46:41 PM6/19/06
to
Ah I typoed, should have been 6/18/2006. Maybe wishful thinking to make
myself a year younger. :)

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

0 new messages